120 Million American Households Exposed In 'Massive' ConsumerView Database Leak

Alteryx has downplayed a large leak of information, but the researcher who uncovered the database said it was "misleading." (Photographer: Michael Nagle/Bloomberg)

Information on more than 120 million American households was sitting in a massive database found left exposed on the web earlier this month, Forbes has been told. It included an extraordinary range of personal details on residents, including addresses, ethnicity, interests and hobbies, income, right down to what kind of mortgage the house was under and how many children lived at the property. In total, there were 248 different data fields for each household, according to the researcher who uncovered the leak data this week.

Whilst there were no names exposed, Chris Vickery, a cybersecurity researcher from UpGuard, told Forbesit was simple to determine who the data was linked to, either by looking at the details or by crosschecking with previous leaks. He found the data was sitting in an Amazon Web Services storage "bucket," left open to anyone with an account, which are free to obtain.

As long as they knew the right URL to visit, an Amazon Web Services user could retrieve all the data, which was left online by marketing analytics company Alteryx. It was apparent that the firm had purchased the information from Experian, as part of a dataset called ConsumerView, on top of which Alteryx provides marketing and analytics services.Vickery thinks the data was part of a product - the Alteryx Designer With Data - thatsells for around $38,995 per license. In its ownmarketingfor the Experian service, Alteryx notes that the database contains "consumer demographics, life event, direct response, property, and mortgage information for more than 235 million consumers."

'Misleading' response

After being informed by Vickery about the open data, the company took action and secured the database from public view last week. In an emailed statement, Alteryx played down the severity of the leak. A spokesperson told Forbes: "Alteryx secured the bucket, removed the file and has taken steps to prevent this from happening in the future. Alteryx confirmed that the file contained no names of any individuals or any other personal identifying information."Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes. The information in the file does not pose a risk of identity theft to any consumers."

Experian had a similar stance as its partner. "This is an Alteryx issue, and does not involve any Experian systems," a spokesperson said. "Alteryx has already confirmed with you that the data in question contained no names of any individuals or any other personal identifying information, and does not pose any risk of identity theft to any consumers. We have been assured by Alteryx that they promptly remedied this issue."

Vickery, who published a blog post with UpGuard on Tuesday, disagreed with the two data handling giants. "That is incredibly misleading. I do not understand how anyone could possibly claim there is no risk posed here," he told Forbes. "Addresses, phone numbers, banking, ethnicity, etc. is all present. There is a great deal of harm that could be done with this information."Whether for fraud or for other nefarious purposes, criminals could use such data to create an accurate picture of someone's life, he argued. "If you cross-reference it with a voter registration database, or if you have records from an advertiser on the web, like a big web advertiser, you piece these things together and you've got a very accurate view of who someone is: what they like doing, where they work, where they live, how many kids they have," Vickery added.

The researcher has previously uncovered vast troves of data, including a massive voter registration database in 2015, which included information on 198 million Americans. He didn't know how long the Alteryx database had been left open. Alteryx hadn't responded to a request for comment on whether anyone else had accessed the information prior to Vickery.

'Massive leak'

Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, agreed with Vickery the lack of names was insignificant. "That is a massive leak. These are very valuable data fields, constituting the essential details of a core of American households," Hall said.

"If you are trying to decide what houses on a block to rob, you don't care about the names of the people that live there. Especially, if the data shows that you are an outlier; for example, an elderly male art collector living in a nondescript home... it may be easily possible to infer things that people most definitely don't want to be public, or worse, leaked into the hands of elements of the black market."

Following the massive breach at Equifax revealed in September this year, there have been calls for better laws to guarantee the protection of Americans' information. Hall noted the U.S. is the only country in the world "that doesn't obligate those that work with sensitive personal data protect it." The Equifax hack, which led to the loss of information on at least 145.5 million people, did lead to some proposals, including the Data Broker Accountability and Transparency Act from democrats. It promised a requirement for data brokers to develop "comprehensive privacy and data security programs."